Any plans to support serverside OCSP stapling / status_request_v2 ?

[adamzovits]

In the HEAD version server side OCSP stapling is not yet implemented. Searching for some OCSP related implementation we found some uncommented code approaches in commit 8c138a013bbe409c8d1ff12557cd8da5ace5c5ae

Do any plans exist to fully implement support for server side OCSP stapling? Or can someone provide some details or thoughts to help us finish implementing this feature?

[peterdettman]

It is on the TODO list, but not high priority so far in the absence of anyone requesting it (before now). As you can see, the outline has been sketched in comments, mostly missing only the actual OCSP request(s).

org.bouncycastle.jce.provider.ProvOcspRevocationChecker is a class that performs OCSP requests, and does it in the context of client-side CertPath validation if the BC provider is used and OCSP revocation checking is enabled (see org.bouncycastle.jsse.provider.ProvX509TrustManager.addStatusResponses). It underpins the client's OCSP check(s) in the absence of OCSP stapling.

Since OCSP stapling more or less just has the server perform the OCSP requests and send the responses to the client, then it should be possible to factor out the OCSP request code from ProvOcspRevocationChecker and use it from ProvTlsServer.getCertificateStatus.

Beware that TLS 1.3 changes the way OCSP stapling works somewhat, and my example code doesn't account for it. Probably easiest to ignore (disable for TLS 1.3) in the first instance.

Also note that this is quite complex and probably not something to take on without a reasonable familiarity with both OCSP itself and TLS more generally (and reading RFCs!).